Ransomware: the risks and how to avoid them

How would you manage if your school IT systems were taken down by a Ransomware attack?

At SWGfL, we have helped several schools recover after the impact of a Ransomware attack, by providing expert consultancy and support. Last year we highlighted the challenges posed by Ransomware attacks, and it continues to be a threat faced by many schools.

Usually, Ransomware gains access to systems by manipulating individuals into sharing their confidential or personal information before encrypting, or locking, their data. What follows is a ransom message demanding payment in exchange for unlocking the data. Often these attacks take the form of emails with an invoice, or a request for a quote that links to a site where the malware is downloaded. SWGfL produced this Ransomware whitepaper in October which can help you protect yourself against Ransomware attacks.

As our annual assessment of UK schools reported recently, 35% of UK schools have no data protection policy in place. We should all be more vigilant and cautious when it comes to our data, particularly given the UK is set to implement new, stricter EU General Data Protection Regulation (GDPR) in May 2018. These will bring a whole raft of changes centred around the control that individuals will have over the use of their data. For schools, this will translate into (among other things);

Greater transparency and clarity about what they do with children’s data

More emphasis on obtaining clearer and auditable consent before sharing data

A legal requirement to notify a system breach within 24 hours and

A requirement to appoint a dedicated data protection officer

Recently the manner in which WhatsApp manages the encryption of messages has been brought into question. It does pose an interesting question for the type of communication that may take place between teachers. For instance, in some schools, it may be plausible that the teacher and support staff or senior leader may have a conversation about a pupil’s specific requirements via WhatsApp. However if the service is not secure, there is a risk that those messages could be intercepted and shared, so it’s a factor to consider.

Many staff members in schools have access to large amounts of personal data, far more than in many other industries or jobs. Because this goes with the territory, it’s easy to become complacent, which in turn can lead to a more relaxed attitude to the security of that data. Unfortunately the most common cause of a data protection breach is a user, and in schools, they remain one of the least likely groups to have received training.

I recently heard about a teacher who shared a video taken inside her classroom on Twitter. The young people were enjoying the activity and sharing thoughts, but around the edge of the monitor in the background were post-it notes with login and password details! Not the best way to protect access to your data.

One of the most effective ways to secure your systems from attack, both personally and professionally, is still a good passphrase. Sadly most people tend to use a password, and the same one, in multiple places because they find them hard to remember, our recent blog offers some good advice on how to ensure your passwords and passphrases are secure.

For many schools a good source of advice is vital in understanding complex statutory obligations. In June 2016 we launched360data, a new self-review tool which helps organisations test and improve their data protection policies and practices.

360data has been built on the award-winning 360safe self-review tool used by more than 10,000 schools in the UK. After completing the initial assessment the tool will suggest next steps for improvement, sources of good practice and even produce template documents for policies and usage.

In October we also announced an exclusive deal for Intercept X, which protects your data from all forms of ransomware. Intercept X can be installed alongside your existing protection and includes a powerful virus cleaner.

Soon, we hope to release the UK’s first Cyber Insurance product specifically designed for schools, which would provide cover in the event of a ransomware attack and enable the recovery of core systems and data.

So whilst the last year has been busy, now is the time schools should act to protect systems and data from attack.